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The security of device-independent (DI) quantum key distribution (QKD) protocols relies on 
the violation of Bell inequalities. As such, their security can be established based on minimal 
assumptions about the devices, but their implementation necessarily requires the distribution of 
entangled states. In a setting with fully trusted devices, any entanglement-based protocol is essen¬ 
tially equivalent to a corresponding prepare-and-measure protocol. This correspondence, however, 
is not generally valid in the DI setting unless one makes extra assumptions about the devices. Here 
we prove that a known tight lower bound on the min entropy in terms of the CHSH Bell correl¬ 
ator, which has featured in a number of entanglement-based DI QKD security proofs, also holds 
in a prepare-and-measure setting, subject only to the assumption that the source is limited to a 
two-dimensional Hilbert space. 


The security of quantum key distribution (QKD) rests 
on tradeoffs inherent to quantum physics, such as the im¬ 
possibility of state cloning, the measurement-disturbance 
tradeoff, or the monogamy of entanglement. Simil¬ 
arly, the security of device-independent (DI) QKD [1- 
3], which can be established with minimal assumptions 
about the internal functioning of the devices, is based on 
a fundamental tradeoff between the violation of Bell in¬ 
equalities and the unpredictability of quantum measure¬ 
ments. The simplest setting in which this tradeoff can 
be stated involves two separate parties, Alice and Bob, 
sharing two subsystems in an entangled state on which 
they perform, respectively, one of two measurements 
x,y £ {0,1} yielding one of two outcomes a, 6 G {0,1}. 
In this setting, the expectation value 

S=J2{-ir+^+^^P{ab\xy) ( 1 ) 

abxy 

of the CHSH Bell correlator [4], where P{ab \ xy) denotes 
the joint probabilities for outcomes a, b given measure¬ 
ments X, y, implies the fundamental lower bound 

HrniniA I E) > 1 - log2(l + \/2 - syi) (2) 

on the min entropy Hram{A \ E) of Alice’s outcome con¬ 
ditioned on one of Alice’s inputs (say, a: = 0) and the 
quantum side information E of any potential adversary. 
This relation is tight and is attained with equality with 
the optimal attack described in [3]. 

Contrarily to other tradeoffs used in standard QKD, 
which assume some level of trust and characterisation of 
the quantum systems, the bound (2) is device independ¬ 
ent in the sense that it holds for any quantum state pabe 
and measurement operators {Ma\x\ and charac¬ 

terising Alice’s and Bob’s devices. The relation (2) was 
first derived in the context of Dl-randomness certification 
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[5] and has since featured as an ingredient in a number 
of DI QKD security proofs [6-8] . 

Since they are based on the violation of Bell inequal¬ 
ities, DI QKD protocols are entanglement-based (EB) 
protocols. Indeed, in the DI setting, entanglement is 
necessary to guarantee security with a minimal set of 
assumptions on the devices [9]. Implementations of tra¬ 
ditional (non-DI) QKD protocols, such as BB84 [10], are, 
however, usually of the prepare-and-measure (PM) type. 
In a PM protocol, Alice uses a source to prepare certain 
states which are then transmitted through a quantum 
channel to Bob who performs measurements on them. 
PM schemes have the practical advantage that they do 
not require the manipulation of entanglement. For this 
same reason, however, they cannot be fully DI. Recent 
works have nevertheless considered the possibility of PM 
QKD schemes that are at least partially DI [11, 12]. 

In traditional QKD, a famous argument establishes an 
equivalence between the security of PM and EB pro¬ 
tocols [13]. In the BB84 protocol, for instance, Alice 
could prepare the four BB84 states by preparing a $+ 
Bell state (10 )a|0)a' + 11)a|1)a')/V 2 ( in some Hilbert 
space FLa ® FLa' ) in her lab and measuring either in the 
computational ({10)a, |1)a}) basis or in the Hadamard 
({|+)a,| —)a}) basis in "Ha and transmitting the projec¬ 
ted state in "Ha' to Bob. Since the security can only be 
reduced if the $+ state is replaced by a state 1V')abe 
chosen by an adversary (Eve) and shared between Alice, 
Bob, and Eve (the situation considered in EB security 
proofs), a security proof of the EB version of the BB84 
protocol automatically implies the security of the PM 
version. 

In the DI setting one can similarly associate a corres¬ 
ponding PM scheme to any EB scheme. In particular, 
one can consider a PM version of the above CHSH scen¬ 
ario, as illustrated in Fig. 1. In this PM version, Alice 
possesses a source which can emit one of four different 
quantum states, noted p, p', a, and a', depending on a 
respective choice of input {x, a) = (0,0), (0,1), (1,0), and 
(1,1). Alice randomly chooses x G {0,1} (not necessar¬ 
ily equiprobably) and chooses a G {0,1} randomly and 
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Figure 1. Semi-device-independent scenario with the prepare- 
and-measure CHSH estimation. Alice’s source (Sa) can emit 
one of four different qubit states Px,a & {p, p', n, a'} depending 
on a choice of input (x,o) G {0,1}^. Bob’s measurement 
device (Mb) performs one of two measurements depending on 
a choice of input y G {0,1}, yielding an outcome b G {0,1}. 

equiprobably and attempts to transmit the correspond¬ 
ing state to Bob, who may perform one of two binary- 
outcome measurements on them (indexed by the input 
y G {0,1} and output b G {0,1}). We can then define 

= (3) 

abxy 

as the PM analogue of the CHSH correlator (1). 

In a traditional (non-DI) setting, the equivalence 
between the EB and PM scenarios would imply that the 
bound (2) on Alice’s randomness as a function of the 
CHSH correlator also holds in the PM version. In a DI 
setting, however, this equivalence is not immediate at all. 
First, the PM version cannot be fully DI (because the 
source could simply transmit Alice’s choice of input clas¬ 
sically). The security of a PM version will thus depend 
on some minimal assumption about the source. One pos¬ 
sibility is to assume a dimension bound on one or more 
of the devices; such semi-DI PM schemes were proposed 
in [11]. Second, states prepared by measurements on half 
of an entangled pair satisfy a constraint called basis inde¬ 
pendence: if a set {px\ of states is prepared with associ¬ 
ated probabilities {px} by performing a measurement on 
half an entangled pair, the average state PxPx is inde¬ 
pendent of the measurement used to prepare it (a version 
of the no-signalling principle). The basis-independence 
constraint, however, need not be satisfied, and is actu¬ 
ally explicitly relaxed, in the PM setting. 

We show here that the fundamental bound on Alice’s 
min entropy (2) nevertheless still holds in a semi-DI set¬ 
ting, with the PM version of the CHSH correlator (3) 
used in place of (1). Such a result can then be used 
to bring the semi-DI setting (for which security proofs 
are lacking) closer in line to known security results for 
DI QKD. In particular, the conditional min entropy can, 
for instance, be used to lower bound the Devetak-Winter 
key rate [14] in order to establish the security against 
collective attacks of a semi-DI QKD protocol based on 
the estimation of the CHSH correlator (3). 

Dimension assumption .— Let us start by making 
precise the assumption that we need to derive (2) in the 
PM setting. During the transmission from Alice to Bob, 
an adversary may perform an arbitrary unitary operation 


on the states sent by Alice, with the intent of gaining 
some information about them. (More general quantum 
operations can be made unitary by enlarging the ad¬ 
versary’s Hilbert space, according to Stinespring’s dila¬ 
tion theorem.) Following this unitary attack, the emitted 
state px,a is now shared between Bob and Eve [15], i.e., 
acts on a Hilbert space Hb <8 He- We make the assump¬ 
tion that the two differences p — p' and a — a' between 
the source states (after the unitary attack) share their 
support on a common two-dimensional subspace Ha of 
Hb ® He- We refer to this condition as the qubit source 
assumption. We will later discuss the physical implica¬ 
tions of this assumption; for now we simply take it as a 
mathematical condition satisfied by the states prepared 
by Alice’s box. 

A simple example illustrates the necessity of the qubit 
source assumption. Specifically, if Alice’s source prepares 
pure states px,a = \i^x,a){i^x,a\ which are duplicate copies 
of the BB84 states, 

IV’oo) = |0)b|0)e , IV’oi) = |1)b|1)e , (4) 

IV’io) = |+)b|+)e , IV’ii) = |-)b|-)e , (5) 

in which |0) and |1) are orthonormal and |±) = ^[|0) ± 

|1)], the maximal value S = 2^/2 can be attained while 
Eve always acquires exactly the same state as Bob. These 
states are not linearly independent (one can readily verify 
that |0)|0) -I- |1)|1) = |+)|+) + |—)|—)) and span a three- 
dimensional Hilbert space, from which we see that the 
security of the semi-DI scenario is fully compromised if 
the qubit source assumption is not satisfied. 

Min entropy and Eve’s distinguishability. — To prove 
the bound (2), let us first note that if the input a is 
chosen equiprobably, its min entropy, conditioned on the 
case x = 0 and on Eve’s quantum side information, is a 
function of the classical-quantum state 

tae = 5|0)(0| Ope + 5|1)(1| ® Pe, (6) 

in which pg and pg are Eve’s marginals of the states p 
and p' after some given unitary attack (in the rest of 
this article, subscripts indicate partial tracing in the ob¬ 
vious way, e.g., pb = TrE[p]). Evaluated on (6), the min 
entropy can be expressed [16, 17] as 

H„i„(A I E) = 1 - log2(l + D(pe,p'e)) , (7) 

with the trace distance between pg and pg defined by 

^(Pe.Pe) = Upb -PeIIi where ||A||i = Tt[VA^A] de¬ 
notes the trace norm of an operator A. We will obtain 
the main result (2) by showing that the trace distance 
appearing in (7) is upper bounded by 

^(Pe,Pe)< \/2-52/4 (8) 

in terms of S. 

Outline of proof. — We now outline the derivation of 
(8). The lengthier and more pedestrian parts of the proof 
are given in the appendix. 
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Let us first introduce operators Z and X defined such 
that 


p- p' = aZ , (9) 

a-a' = I3X, (10) 

with a = ^IIp — p'lli and /3 = ^\\a — a'\\i such that 
the (traceless qubit) operators Z and X satisfy ^H^Hi = 
^||X||i = 1. Then, in terms of these operators, the CHSH 
expectation value (3) can be expressed as 

S=^TT[UBiaZB+PXB)+VB{aZB-PXB)] , (11) 

where Ub = Eb(-l)'’^6|y=o and Vb = 
are Hermitian unitary operators acting on TLb describ¬ 
ing the observables corresponding to the (without loss of 
generality, projective) measurements y = 0 and y = 1- 
A general result for any pair of Hermitian unitaries 
is that they admit a common block diagonalisation in 
blocks of dimension no more than 2. We can thus set 

Ub = ^U^, VB=^Vi, (12) 

k k 


in which Hg and are still Hermitian and unitary and 
of dimension at most 2, Vfc (the Jordan lemma [18], see 
Lemma 2 of [9] for a short proof). This reduces the prob¬ 
lem to considering qubit subspaces on Bob’s side. For 
each subspace fc, we can define the corresponding contri¬ 
bution to S by 

Su = \aTr[{U^ + Vi)ZB] + - V^)Xb] , (13) 

with Sk = S. Similarly, we define a probabilistic 
weight for each subspace k by 


Pk = i Tr[l|jB] , (14) 


with ^f.Pk = 1, defined in terms of the projection op¬ 
erator Ig on the kth subspace (satisfying Ig = (Hg)^ = 
(Hg )^) and the partial trace Ib = TrE[T] of the identity 
on the space of source states (satisfying I = Z^ = X'^). 

We now introduce an orthonormal basis {|y), |y')} of 
the space of source states chosen such that Y = |y)(y| — 
|y')(y'| is orthogonal to the operators Z and X, defined 
by Eqs. (9) and (10), on the Bloch sphere. In this basis, 
in an appropriate phase convention, Z and X can be 
expressed as 


^ = e'i|y)(y1+e-'f|y')(y|, (15) 

^ = e-‘2|y)(y'|+e‘2|y')(y| (16) 


for some (a priori unknown) angle p, while the source 
space identity operator I takes the expression 


i = |y)(y| + |y')(y'l- (i7) 


One can readily verify that {Z, Y} = {X, Y} = 0, that 
\Z, X] = 2isin((/j)y, and that {Z, X} = cos{p)T. An 
important step in the derivation of the trace-distance 


bound (8) consists in turning the value of S into a con¬ 
straint on the part Yb of the operator Y accessible to 
Bob [19]. Specifically, in each subspace k defined by the 
block diagonalisation (12), we prove in Appendix A that 
there exists a Hermitian unitary operator VFg with the 
property that 

al TtIW^Yb] > (18) 

where Sk andpfc are as defined in (13) and (14). Eq. (18) 
holds regardless of the value of /3 appearing in (13) and 
of p in (15) and (16). Note that a can also be eliminated 
using that \ Tr[lVgyB] > Tr[IFgyB]- 

In order to obtain the upper bound (8) on Il(/5g,pg), 
we also derive a tradeoff between the quantity 
5 ^[W'gyB], appearing in (18), and the distinguishabil- 
ity of Eve’s states. Specifically, we prove in Appendix B 
that, for any Hermitian unitary Ue acting on He, the 
inequality 

i Tr[W^yB]' + i Tr[(l| ® Ue)Z]^ < Pk^ (19) 
holds in each subspace k. 

We obtain (8) by taking for Ue in (19) a Hermitian 
unitary such that \ Yv\UeZe] = ||1^eI!i [20]. Because 

D{pe,Pe) = Q^III^eIIi < 5 II-^e||i, the trace distance is 
upper bounded by 

D{pE.p'E)<Y.\Yv[{ti®UE)Z]. (20) 

k 

Using (18) and (19) and omitting a, we have 

4 Tr[(l| 0 Ue)Z] < PkV^-{SklPk)y^. (21) 

and substituting (21) into (20) and using that the func¬ 
tion S I—)■ 1/2 — S’^/A is concave, we finally obtain 

4I(Pe, Pe) — 5 Tr[(l| 0 Ue)Z'\ 

k 

< y^pfc\/2 - {Sk/PkY/^ 

k 

— \J‘^ ~ (Sfe /4 
= \/2-S'2/4. (22) 

Combining with the expression (7) for the min entropy, 
we obtain (2). 

As with its EB counterpart, (8) and the resulting min- 
entropy bound are tight and are attained with a PM ver¬ 
sion of the optimal attack originally given in [3] ; for com¬ 
pleteness we have included a description of this attack in 
Appendix C. 

Discussion of the quhit assumption. — Having proven 
our main result, let us now discuss the qubit source as¬ 
sumption in more detail. Note first that Alice’s “pre¬ 
paration” device may not in general actually prepare a 
new state from scratch, but instead implement a trans¬ 
formation on a preexisting qubit stored in her box, which 
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could be entangled with Eve’s system prior to the pro¬ 
tocol. The presence of such prior entanglement between 
Alice’s device and Eve may completely break the secur¬ 
ity of a PM scheme, as noted in [If], However, since 
our qubit assumption is formulated in the total space 
Hb 0 'He including Eve’s Hilbert space, it naturally lim¬ 
its the amount of potential prior entanglement between 
Alice and Eve (or Alice and Bob) and thus a nice math¬ 
ematical feature of our formulation is that we do not 
need to state this limitation on prior entanglement as a 
separate, additional assumption. 

On the other hand, since our qubit assumption is for¬ 
mulated in the space Hb ® He after Eve’s attack, it may 
not be possible to practically verify this assumption in a 
cryptographic setting (since Alice and Bob do not have 
access to Eve’s system). Note, however, that a suffi¬ 
cient condition for our assumption to be satisfied is that 

(1) there exists no prior entanglement between Alice and 
Eve or Bob (e.g., Alice’s preparation box has no quantum 
memory), and (ii) the states sent by Alice’s box, before 
going through the channel and suffering Eve’s (without 
loss of generality, unitary) attack, are such that p — p' 
and <7 — a' have support in the same two-dimensional 
subspace. Under these conditions, the states p — p' and 
a — a' after Eve’s unitary attack will still share the same 
two-dimensional support and thus our qubit source as¬ 
sumption will be satisfied. However, the condition that 
we use to derive the min-entropy bound (2) is formally 
weaker than the combination of i) and ii) as these only 
represent sufficient conditions for our assumption to be 
satisfied. 

Another nice feature of our formulation is that the 
qubit assumption refers only to the differences p — p' and 
a — a' and not directly to the states p^^a themselves, 
which may live in a higher dimensional Hilbert space. 
For instance, in an optical implementation, each “qubit” 
may be a qubit encoded in the polarisation degree of free¬ 
dom of a single photon, but may also possess a vacuum 
component and thus formally be a three-level system of 
the form p^^a = p|0)(0|-|-(l-p)pa,a;, where pa,x is the one- 
photon polarised qubit part. Still, the differences p — p' 
and a — a' only involve the genuine qubit parts and thus 
satisfy our qubit source assumption. 

Finally, let us remark that our assumption can imme¬ 
diately be weakened in two ways. First, using convexity 
arguments, it is easy to see that the min-entropy bound 

(2) still holds if Alice’s, Bob’s, and Eve’s systems share 
prior classical randomness, provided that for any value 
A of the shared randomness, the differences p^ — p\ and 

— a'-^ satisfy the qubit assumption. Again, it may not 
be possible to practically verify this assumption in the 
most general DI setting (as Alice and Bob will not have 
access to the individual values of the shared randomness 
if their devices are uncharacterised). However, a suffi¬ 
cient condition for this assumption to be satisfied is if 
each of the averaged states px,a — Q\Px,a;\ are con¬ 
tained in the same qubit space, a condition which does 
not require any knowledge of the shared randomness. 


Second, we point out that the bound on the min en¬ 
tropy is also robust with respect to the qubit assump¬ 
tion; i.e., this assumption need only be approximately 
verified. Specifically, suppose that, instead of assum¬ 
ing (9) and (10), we assume that there exist traceless 
two-dimensional unit operators aZ and j3X such that 
\\\{p — p') — oiZ\\i < e and ^\\{cr — a') — l3X\\i < e. Then 
it is easy to see that D{p^,p'^) < f||aZE||i -l-e and that 
the CHSH expectation value computed with aZ and PX 
cannot differ from S by more than 4e. Small deviations 
from the qubit source assumption can thus be tolerated, 
with a bound on the min entropy no worse than 

I E) > l-log2(l + V2-(^-4e)74 + £) . (23) 

Conclusion .— We gave a proof that the fundamental 
lower bound (2) on the randomness of Alice’s outcomes as 
a function of the CHSH expression, originally derived in 
the context of device-independent QKD and randomness 
certification, still holds in a PM setting with a qubit as¬ 
sumption. Though the equivalence between EB and PM 
schemes in standard QKD may a priori suggest that this 
should naturally be the case, this is not at all immediate 
as this equivalence breaks in a DI setting. Indeed, the 
techniques that we have used here to establish the lower 
bound (2) in the PM setting are quite different from the 
ones used to establish the EB version of this bound. 

This fundamental lower bound (2) can now, in prin¬ 
ciple, be used as a building block to prove the security 
of semi-DI QKD protocols, in the same way that it was 
used in the fully DI setting in Refs. [6-8]. 

We remark that in the EB scenario, an analogous tight 
bound for the Holevo quantity (or, equivalently, the con¬ 
ditional von Neumann entropy) instead of the min en¬ 
tropy had earlier been presented in [3] as part of a secur¬ 
ity proof against collective attacks. The conditional von 
Neumann entropy can likewise, in principle, be bounded 
in the PM scenario. A partial result for the von Neumann 
entropy, restricted to the case where Bob’s measurements 
are additionally assumed to be two-dimensional, is given 
in Ref. [21]. 

Finally, having shown that our min-entropy bound 
holds for Alice’s system conditioned on Eve, it would be 
interesting to investigate whether a similar result holds 
for the min entropy \ E) associated with Bob’s 

measurement outcome. In particular, a version of this 
result conditioned on just one of Alice’s state prepar¬ 
ations would apply immediately to the problem of ran¬ 
domness certification [5, 22-24], which has similarly been 
investigated in PM scenarios ]25, 26]. 
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Appendix A: Proof of (18) 

As explained in the main text, after applying the 
Jordan lemma the optimal expectation value (11) of S 
can be expressed as S = with 


Finally, in order to reexpress Sk in a form better suited 
for determining an upper bound, we introduce new coef¬ 
ficients 


cos(^*‘^‘^) -1- isin('^*=^ ‘^) , 

(A12) 

cos(^'‘4‘^) ~ isin(^^^^) , 

(A13) 

7± = 4(a±/3), 

(A14) 


such that 


Afe = 7+^fc -|-7_^fc , 

(A15) 

fik = 1+Vk + 7-^fc • 

(A16) 


Sk = ^aTiliUk + Vk)Z] + i/3Tr[(C/fc - Vk)X] , (Al) 

where we have set Uk = ® 1e and 14 = I^b ® 

and Ub and are the Hermitian unitary operators of 
dimension at most 2 appearing in (12) and (13). 

Inserting the expressions (15) and (16) for the operat¬ 
ors Z and X, Sk can be expressed as 

Sk = aRe[(y|e "‘2 {Uk + Vfc)|y')] 

+ /3Re[(y|e'f(C/fe-I4)|y')] (A2) 


Inserting these into the expression for Sk, we arrive at 

Sk/2 = Re[a(7+(Afc|A;) +7_(Bfc|B;,)) 

+ J^fc(7-(Afc|A).)-I-7+(Bfc|Bjj))] . (A17) 

In order to obtain a useful upper bound on Sk, we 
begin by taking the absolute value of the various terms 
in (A17), obtaining 

^fc/2<|e.|(l7+ll(A,|A')| + |7-||(B,|B')|) 

+ |:.,|(|7-||(A,|A')| + |7+||(Bfc|B')|). (A18) 


in terms of the y states. The only interesting case is 
where both t/g and Eg are two-dimensional and of ei¬ 
genvalues -1-1 and —1. In this case, if C/g and Eg are 
separated by an angle 7 fc on the Bloch sphere, one can 
choose an orthonormal basis {|wfe)B, |w)j)b} in which 

I/b + = 2cos(^)(|wfe)(wfc|B -f |wfc)(wfe|B) , (A3) 

= 2sin(^)(i|wfc)(w'fc|B - i|wfc)(wfe|B) . (A4) 

Inserting this into (A2), the expression for Sk can be 
simplified to 


Sk/2 = Re[(y|(Afc|wfe)(w),|B +/rfe|w;,)(wfc|B) 0 Ifily')] > 

(A5) 

where we have collected the various angles into 


Afe = 

acos(^)e *2 

+ i/3 sin(^^ 

|A2 , 


Mfe = 

acos(^)e“'2 

— i/3sin(^' 

|e'2 

(A6) 

for convenience. Introducing now vectors 




Afc) = ((wfc B 

o iE)|y), 


(A7) 


|A'fc) = ((w',|B 

o iE)|y'), 


(AS) 


|Bfc) = ((w'fclB 

o iE)|y), 


(A9) 


|Bfc) = ((wfclB 

o iE)|y') 


(AlO) 


(in "He) in order to further simplify the notation, we ob¬ 
tain 


Sk/2 = Re[Afe(Afe|A;,) + iJik{^k\K)] ■ (AH) 


Applying the Cauchy-Schwarz inequality, using that 
\ik? + \ vk\'^ = 2, and developing, 

Sk^/A < 2(|7+||(Afc|A;,)| + |7_||(Bfc|B',)|)' 

+ 2(^|7-l|(Afe|A^)| -I- |7+||(Bfc|B^)|^ 

= 2(7+"+7-')(|(AfeK)| V |(Bfc|B;,)|") 

+ 8|7+7-l|(Afc|A;)||(Bfc|B;)| 
<2(7+"+7-^)(l|Afef||A;f+ ||Bfcf||B;f) 

+ 8|7+7-lllAfe||||Al.|||lBfc||||B;,|i, (A19) 

where we used the Cauchy-Schwarz inequality again 
to substitute |(Afc|A;,)| < ||Afc||||Ay| and |(Bfc|B;,)| < 
||Bfe||||B^|j. Applying now that 

2||A,||||A'||<EA = ||A,f+ ||A;f , (A20) 

2||Bfc||||B',||<SB = ||Bfcf+ ||B'f , (A21) 

we find that 

^fcV4< |(7+"+7-')[V +V] +2|7+7 -|SaSb 
= min(a^,/3^)l(EA - Eb)^ 

+ max(a^/32)l(EA + EB)^ (A22) 

Reinserting the definitions of the vectors |Afc), |A).), |Bfc), 
and |B).), note that 

Ea - Eb = Tr[IF^rB], (A23) 

Ea + Eb = Tr[l|jB], (A24) 






where we recall that we defined 


stituting Pe = 5(1e + C^e) and Qe = ^( 1 e - %), 
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21= |y)(y| + |y')(y'h (A25) 

i^ = |y)(y|-|y')(y'l, (A26) 

Ib = Ti'e[21], 1b = TrE[y], and we have introduced 

1b = kfc)(wfe|B + |wfc)(wfc|B , (A27) 

Wb = |wfc)(wfe|B - |wfc)(w;,|B . (A28) 

In this way, we find that Sk is upper bounded by 

V4 < min(a^/3") i Tr^FB]" 

+ max(a", /3^) | Tr[l|jB]" • (A29) 

Finally, we substitute min(a^,/3^) < a^, max(a;^,/?^) < 
1, and Pk = ^ T^[1b21b] in order to obtain 

S,y4<a^TT[W^YB]^+p,^, (A30) 

which rearranges to (18) in the main text. (If 4 Tr[VF 3 yB] 
is negative, we simply replace !->■ —W^.) 

Appendix B: Proof of (19) 

We start with the term 4 ^[IFglB]- In an appropriate 
phase convention, the operator Y can be expressed as 

y = e*2 |z)(z'|+e“W|z')(z|, (Bl) 

where |z) and |z') are the eigenstates of Z such that Z = 
|z)(z| — |z')(z'|. In terms of these z states, 

4 TtIW^Yb] = 4 Tr[(W| 0 Ie)^] 

= Re[e-'f (z|W^®1e|z')] 

< |(z|W|®1e|z')| • (B2) 

We let C/e be any Hermitian unitary operator acting on 
He- Such an operator can always be expressed as the 
difference between two orthogonal projectors, which we 
call Pe and Qe, such that Ue = Pe — Qe- Inserting 
1 e = Re + Qe into the last line of (B2) and developing, 
we obtain 

4 Tr[W|yB] < |(z|VF^ 0 Re|z')| + |(z|W^ (g) Qe|z')| 

< (z|ll| (g) Pe\'z)\J (z'|1b ® Re|z') 

+ \l (z|1b ® QE|z)y^(z'|l| (g) QeIz') 

< \J (z|11b ® Re|z) + (z'|ll| (g) Qe|z') 

X ^ (z'|l| (g) Re|z') + (z|ll| (g Qe|z) , (B3) 

in which we used the Cauchy-Schwarz inequality and that 
(IFb)^ = Ig to obtain the second and third lines. Sub- 


4 Tr[W^rB] < ^Pk + \Pr[{tl®UE)Z] 

X \jpk- ^ Tr[(l| (g) Ue)Z] 

= ^p7^iW[(l|^C4l)yf, (B4) 

where we recovered I = |z)(z| -|- |z')(z'|, Z = |z)(z| — 
|z')(z'|, and Pk = \ Tr[lglB]- The end result rearranges 
to (19) in the main text. 

Appendix C: Tightness of the min-entropy bound 

The lower bound (2) on the conditional min entropy is 
tight and is attained with a PM version of the optimal 
collective attack given in [3], which we describe here. We 
set the states (following Eve’s attack) to p = |a)(a| 
and p' = |a')(Q;'|, where 

|a) = |0 )b|iA)e , |a') = |1 )b|^/’')e , (Cl) 

in which |0 )b and |1 )b are orthonormal and |'!/')e and 
W) E are normalised states whose inner product defines 
the specific attack. We set (V'lV’O = Rz lo'' some real 
constant 0 < Rz < 1. We also set cr = \l3){j3\ and a' = 
1/3') (/3'I with 

|/3) = ^(|a) + |a')), (C2) 

|/3') = ^(|a)-|a')). (C3) 

With these definitions, the source states span a qubit 
subspace. Note that (ala') = (/3|,d') = 0, such that a = 

/3 = 1. 

From the above definitions, we have that pg = |'0 )(?/;|e 
and p'b = |V^')('i/''|E, and thus 

D{pb,p'e) = V^^^- (C4) 

For the operators Z = |a)(a| — |a')(a'| and X = |/3)(/3| — 
\P'){I^'\ = + W){o-\, we find the partial traces 

^B = |0)(0|b-|1)(1|b =az (C5) 

and 

Ab = Rz(|0)(1|b + |1)(0|b) = Rz^x . (C6) 

For optimal measurements on Bob’s side, we can write 
(11) as 

S = III Zb + Ab||i + \ \\Zb — Ab||i 
= llkz + RzCTxIIi + ^llcTz - RzCTxIIi 
= 2yrTF7, (C7) 

which rearranges to 

Rz = ^52/4 - 1. (C8) 

Combining with (C4) confirms that we have described a 
family of attacks for which 44 (pe,Pe) = \/2 — S' 2 y' 4 _ 
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